nerdexam
Cisco

210-255 · Question #118

Employees are allowed access to internal websites. An employee connects to an internal website and IDS reports it as malicious behavior. What is this example of?

The correct answer is C. false positive. When an IDS flags a permitted and legitimate action as malicious, the alert is a false positive - an incorrect detection of a threat that does not exist.

Security Monitoring

Question

Employees are allowed access to internal websites. An employee connects to an internal website and IDS reports it as malicious behavior. What is this example of?

Options

  • Atrue positive
  • Bfalse negative
  • Cfalse positive
  • Dtrue negative

How the community answered

(31 responses)
  • A
    3% (1)
  • C
    94% (29)
  • D
    3% (1)

Why each option

When an IDS flags a permitted and legitimate action as malicious, the alert is a false positive - an incorrect detection of a threat that does not exist.

Atrue positive

A true positive means the alert correctly identified real malicious behavior, but access to the site is authorized so no actual threat occurred.

Bfalse negative

A false negative means a real attack occurred but was NOT detected; the IDS did generate an alert, so this is not a missed detection.

Cfalse positiveCorrect

A false positive occurs when a security control incorrectly identifies benign, authorized activity as malicious. Because the employee has explicit permission to access the internal website, the IDS alert is inaccurate, making it a false positive rather than evidence of a real threat.

Dtrue negative

A true negative means no threat existed and no alert was raised; an alert was raised here, so this cannot be a true negative.

Concept tested: IDS false positive vs true positive classification

Source: https://csrc.nist.gov/glossary/term/false_positive

Topics

#false positive#IDS alert classification#true positive#detection accuracy

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice